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Field Of The Invention 



2 The invention relates generally to the field of digital data processing systems, and more 

3 particularly to arrangements for facilitating regulation of resoiorce usage in distributed computing 

4 environments. The invention particularly provides an inexpensive certificate-based authentication 

5 arrangement for a distributed computing environment in which authentication certificates provided 
5 with requests to access resources provided by servers in the distributed computing environment 

7 include resource utihzation permission information obtained from privilege certificates provided by 

8 the respective servers or by privilege certificate issuing authorities on behalf of the respective servers 

^1 Background Of The Invention 

11 In a distributed computing environment, a number of computer systems are interconnected 

I i by networks . In a distributed computing environment that is organized according to the conventional 

12 "chent-server" paradigm, computers, as cUent computers, can make use of computing resources, such 
|3 as applications, information files and so forth, which are provided by other computers and other 

II components which can provide resources and other services as server. In such an environment, 
II computers may be exclusively client computers or exclusively server computers. Altematively or 

16 in addition, computers may operate as both chent computers and server computers, operating as a 

17 client computer when it requests access to a resource provided by another computer, and as a server 

1 8 computer in response to resource access requests from another computer. 

1 9 A significant problem arising in connection with a distributed computing environment is how 

20 to regulate access to resources provided therein. Typically, secxirity administrators make use of 

2 1 access control hsts (so-called " ACL*s") or similar devices to control access to resources provided by 

22 their respective systems. In an access control list-based system, the access control Hst identifies the 

23 particular resources that are available for use by an operator, on an operator-by-operator basis. In 
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1 addition, the access control list can also identify limitations, if any, which have been placed on each 

2 particular operator's use of the resources which he or she has been authorized to use. When an 

3 operator, operating a cUent computer, wishes to make use of a resource that is provided by a system, 

4 the client computer will provide an identification for the operator and the particular resource or 

5 resources on the system that are to be accessed. If the system's access control list indicates that the 

6 operator has the appropriate "permissions," that is, if the access control Ust indicates that he or she 

7 is authorized to make use of the requested resource(s) for the purposes requested, the system will 

8 allow the resource(s) to be used in connection with the request. On the other hand, if the access 

9 control list indicates that the operator is not authorized to make use of the requested resource(s) for 

1 0 the purposes requested, the system will not allow the resource(s) to be used in coimection with the 
41 request. 

|§ Several problems arise in connection with use access control lists and other mechanisms for 

13 regulating access to resources. One problem is to verify that an operator, who is requesting access 

11 to use a resource is, in fact, who he or she says he or she is, thereby to "authenticate" the operator's 
V5 identity. The severity of this problem, and measures taken to address it, may vary depending on the 
11 particular resource that is to be accessed. For example, if an operator is requesting access to 
1} information that is pubUcly available on the server, such as World Wide Web pages that a server is 
|| making pubUcly available over the Intemet, verijacation of the identification of the operator 
11 requesting access to the Web page may not be a problem. However, if an operator is requesting 

20 access to information from a server that is confidential to the particular enterprise maintaining the 

21 server, the system would need to verify not only that the operator has permission to access the 

22 information, but also that the operator is who he or she says he or she is. 

23 One way this problem has been addressed is through use of passwords. In a password-based 

24 authentication system, the operator provides not only his name or other identifier, which may be 

25 publicly known, but also a password, which would be known only to the operator and the system 

26 whose resource(s) is/are to be used. If the password provided to the system along with an access 
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1 request match the password known to the system for the operator identified by the identifier also 

2 provided with the access request, then the system would assume that the operator's identity has been 

3 authenticated and, if the access control list indicates that the operator can use the requested resource, 

4 allow access to the requested resource. On the other hand, if the password does not match the 

5 password known to the system for the operator identified by the identifier, the system will assume 

6 that the operator's identity has not been authenticated, and may refuse to allow access to the 

7 requested resource. 

8 Several problems arise with the use of passwords to authenticate operators. First, in order 

9 for passwords to be useful, they need to be secure. However, if an operator does not treat his or her 
10 password as secure, that is, if he or she allows others access to his or her password, the security of 
fi the password will be compromised. Accordingly, a number of systems require operators to change 
|i their passwords frequently. This can create a problem particularly if an operator wishes to access 
13 resources on a number of systems, since the operator will need to keep his or her password up-to- 
I j| date on each of the systems. 

15 To avoid the problem of having to update passwords, authentication arrangements have been 

IS developed that issue authentication "certificates" for operators who may wish to access resources in 

1=1 a distributed arrangement. A certificate provides identifying indicia which a system can use to 

l| authenticate the identification of an operator requesting access to a resource provided by the system. 

1 9 The certificate is issued by a certification authority. A certification authority may be affiliated with 

20 systems that provide resources that may be accessed, or they may be third-party entities that vouch 

21 for the identity of the operators to whom they issue certificates. In a certificate-based system, the 

22 system would rely on the authentication provided by the certification authority and the operator need 

23 not be previously-identified to the system, which would be necessary in, for example, a password- 

24 based system. This would alleviate the problems noted above in connection with password-based 

25 systems, since the operator need not update password information periodically on all of the systems 

26 whose resources may be accessed. 
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1 Generally, a certificate includes identijfication information for the entity that is identified by 

2 the certificate, that is, the person or organization that the certificate is supposed to identify, 

3 identification information for the certification authority, an algorithm identifier and public key for 

4 the certification authority and an encrypted digital signature. The certification authority uses a hash 

5 algorithm, identified by the algorithm identifier, to generate a message digest firom the contents of 

6 the certificate, and uses its private key of its public key/private key pair to encrypt the message 

7 digest, resulting in a digital signature. When the certificate is to be verified, which may occur, for 

8 example, when it is to be used to verify that an operator is authorized to use a resource provided by 

9 a system, the system uses the same hash algorithm to generate a mesage digest, resulting in a digital 

1 0 signature. In addition, the system uses the certification authority's public key to decrypt the digital 
signature. If the message digest value generated corresponds to the decrypted digital signature, it 

11 can determine that the certificate is authentic, hi that case, it can determine that the operator is the 
[i entity identified in the certificate. In addition, the system can determine tiiat the key in tiie certificate 
ii is that entity's pubhc key, which can be used to encrypt information to be sent to the entity. 

15 Since the certification authority uses its private key in generating the signature that is 

II included in the certificate, it is important that the private key remain secure. If the private key is 

ill revealed to an unauthorized entity, the unauthorized entity may be able to issue counterfeit 

ll certificates that a system may recognize as authentic. A number of strategies are used by a 
certification authority to maintain security. A certification authority includes a computer that stores 

20 the private key and is programmed to generate a certificate on a medium that is readable by a 

2 1 computer or other digital device. The computer is typically maintained in both a physically isolated 

22 and electronically isolated condition. That is, the computer is physically isolated, typically in a 

23 securely locked room, so that it may be physically accessed only by an administrator who is trusted 

24 and authorized to generate certificates. And it is electronically isolated fi:om networks or other 

25 communication media that may be used by the organization that maintains the certification authority 

26 so as to prevent introduction of incorrect software or unauthorized access to information stored on 

27 the computer, including the private key. When a certificate is to be generated, the trusted 
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1 administrator enters the room to access the computer, inputs information for the entity for whom the 

2 certificate is to be generated, and obtains the certificate, in machine-readable form, from the 

3 computer. Thus, a computer needs to be set aside essentially solely for use as a certification 

4 authority. 

5 Generally, an entity that wishes to have a certificate issued will transmit a certificate issuance 

6 request to a trusted administrator by any of a number of methodologies, including, for example, 

7 Email, requests transferred over the World Wide Web, physical appearance before the trusted 

8 administrator, and the like. If the administrator approves a request, he or she saves identification 

9 information for the entity for which the certificate is to be generated on a machine-readable medium 

10 using the computer that he or she normally uses for his or her work. When the certificate is to be 
1;1 generated, the administrator takes the machine-readable medium from that computer to the computer 
|1 that is used as the certification authority for use in generating the certificate or certificates that are 

11 to be generated during a certificate generation session. During the certificate generation session, the 
J[| certification authority can read the identification information for the entities for which the certificates 
15 are to be generated, display the information to the administrator to permit him or her to make last- 
II minute changes and verification of information as necessary, and generate the certificates. Typically, 
|7 certificates are generated in a batch fashion, with the administrator engaging in certificate generation 
|;S sessions periodically. 

19 Setting aside a computer, separate and apart from the other computers maintained by an 

20 organization, as a certification authority, in a looked room to maintain the security for the computer, 

21 can be relatively expensive. In addition, batch generation of certificates during certificate generation 

22 sessions is relatively inconvenient, and can result in delay in issuance of a certificate. 

23 Summary Of The Invention 
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1 The invention provides a new and improved system and method for providing a relatively 

2 inexpensive and more convenient certification authority. 

3 In brief summary, the invention provides a certification authority for generating certificates 

4 in response to respective certification requests. The certification authority generally includes a 

5 computer that is bootable from a removable medium and a removable mediimi. The removable 

6 medium includes a machine readable medium having encoded thereon an operating system module 

7 configured to enable the computer to boot from the removable medium and a certificate generation 

8 module configured to, after the computer has been booted, control the computer to facilitate the 

9 generation of at least one certificate in response to an associated certificate request, the certification 
|:|) authority module being configured to provide that the computer not be remotely controlled during 
M a certificate generation session. 

m Brief Description Of The Drawings 

i;! This invention is pointed out with particularity in the appended claims. The above and 

M further advantages of this invention may be better understood by referring to the following 

M description taken in conjunction with the accompanying drawings, in which: 

'VS FIG. 1 depicts a digital computer system for use in connection with a certification authority, 

17 in connection with the invention; 

1 8 FIG. 2 is a flow chart depicting operations performed in connection with the digital computer 

1 9 system during a certificate generation session.. 

20 Detailed Description of an Illustrative Embodiment 
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1 FIG. 1 depicts an illustrative computer system 10 for use in a certification authority, 

2 constructed in accordance with the invention. With reference to FIG. 1 , the computer system 10 in 

3 one embodiment includes a processor module 1 1 and operator interface elements comprising 

4 operator input components such as a keyboard 12A and/or a mouse 12B (generally identified as 

5 operator input element(s) 12) and operator output components such as a video display device 13, 

6 The illustrative computer system 10 is of the conventional stored-program computer architecture. 

7 The processor module 1 1 includes, for example, processor, memory and mass storage devices 

8 such as disk and/or tape storage elements (not separately shown) which perform processing and 
f f storage operations in connection with digital data provided thereto. The mass storage subsystems 
1^ may include such devices as disk or tape subsystems, optical disk storage devices and CD-ROM 
II devices in which information may be stored and/or from which information may be retrieved. One 
ill or more of the mass storage subsystems may utiUze removable storage media that may be removed 
l-i and installed by an operator, which may allow the operator to load programs and data into the digital 
|.4 computer system 10 and obtain processed data therefrom. Under control of control information 
IS provided thereto by the processor, information stored in the mass storage subsystems may be 
II transferred to the memory for storage. After the information is stored in the memory, the processor 

may retrieve it from the memory for processing. After the processed data is generated, the processor 

1 8 may also enable the mass storage subsystems to retrieve the processed data from the memory for 

1 9 relatively long-term storage. 

20 The operator input element(s) 12 are provided to permit an operator to input information for 

21 processing and/or control of the digital computer system 10. The video display device 13 is 

22 provided to, respectively, display visual output information on a screen 14, which is generated by 

23 the processor module 11, which may include data that the operator may input for processing, 

24 information that the operator may input to control processing, as well as information generated 

25 during processing. The processor module 1 1 generates information for display by the video display 
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1 device 13 using a so-called "graphical user interface" ("GUI"), in which information for various 

2 applications programs is displayed using various "windows." Although the computer system 1 0 is 

3 shown as comprising particular components, such as the keyboard 1 2 A and mouse 1 2B for receiving 

4 input information from an operator, and a video display device 1 3 for displaying output information 

5 to the operator, it will be appreciated that the computer system 10 may include a variety of 

6 components in addition to or instead of those depicted in FIG. 1 . 

7 In addition, the processor module 1 1 may include one or more network or communication 

8 ports, generally identified by reference numeral 1 5, which can be connected to communication Hnks 

9 to connect the computer system 1 0 in a computer network, or to other computer systems (not shown) 

1 0 over, for example, the public telephony system. The ports enable the computer system 1 0 to transmit 

11 information to, and receive information from, other computer systems and other devices in the 

1 2 network. 

Ill The invention provides a certification authority including the computer 1 0 and at least one 

!4 removable machine-readable medium (not separately shown), such as a floppy disk, smart card or 

15 the like, which may be inserted into an appropriate device on the computer 10. The removable 

II medium has encoded thereon several programs and modules that, when used by a trusted 

I f administrator with the computer 10 during a certificate generation session, serve to configure the 

y computer 1 0 as a certification authority. The removable medium includes various operating system 

19 modules and certification authority modules. The operating system modules configure the 

20 removable medium as a bootable medium, so that, after the removable medium has been inserted 

21 into the computer's reading device and the computer 10 powered up or reset, the computer 10 will 

22 boot from the floppy disk. The computer's boot loader (not separately shown) is configured to 

23 initially completely replace any operating software that the computer may have resident thereon with 

24 the operating system from the removable medium. From the operating system, the trusted 

25 administrator who is using the computer 10 as the certification authority during the certificate 
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1 generation session can make use of the certification authority modules, which will be described 

2 below, to generate the certificates. 

3 Essentially, the invention provides that, since the removable medium can be used in 

4 connection with any computer for which the boot loader operates as described above, any such 

5 computer can be used as the certification authority, thus ehminating the necessity of providing a 

6 separate computer just to be used as a certification authority. In addition, if a trusted administrator 

7 maintains possession of the removable medium in a secure manner, such as in a safe, a locked 

8 drawer, or the like, the certification authority will be secure against access or tampering by a third 

9 party. Thus, the invention provides that no separate secure room need be provided to house the 

10 certification authority. Further, since the computer 10 used during the certification authority may 
y constitute the computer that the administrator normally uses in his or her other work, certificate 

11 generation sessions are more convenient and the administrator may engage in such sessions more 
13 often than otherwise. 

l!i As noted above, in addition to the operating system modules as described above, the 

1 5 removable medium has stored thereon certification authority modules that serve to configure the 

m computer 10 to a certification authority. In one embodiment, the certification authority modules 
comprise the following program modules : 

II (i) an authentication module; 

1 9 (ii) a communication control module; 

20 (iii) a certification request verification module; 

2 1 (iv) a certification request display module; 

22 (v) a certification request edit module; 

23 (vi) a certification request approval module; 
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1 (vii) a digital signature module; and 

2 (viii) an encrypted private key and a decryption module. 

3 The authentication module controls the computer 10, preferably at the beginning of the certificate 

4 generation session, to require the administrator to authenticate him or herself to the certification 

5 authority. This may be accomplished by, for example, requiring the administrator to provide his or 

6 her identification, such as his or her name, and a password. After the administrator has authenticated 

7 him or herself, he or she can make use of facilities provided by the other modules to generate 

8 certificates during the certificate generation session. 

9 The communication control module is provided to provide the computer 10 with at most 
l;f) limited communication capabilities. In one embodiment, the communication control module enables 

II the computer 10 to, through the network connection 15, receive only certification requests and 
i;l transmit signed certificates and messages indicating that a certification request has not been 
|;3 approved. The communication control module controls the computer to ignore or block any other 
14 type of attempt at communications with the computer. Specifically, the communication control 
|:| module does not support services such as tebiet, rlogin (remote login) or ftp (file transfer protocol) 

III which might allow the computer 10 or any of its resources (such as memory or disks) to be 
If controlled or accessed remotely over a network to which the computer 1 0 may be connected during 
t;l the certificate generation session. This will ensure that, during the certificate generation session, 

19 particularly the certification authority's private key could not be accessed from a remote location 

20 over the network. 

2 1 The certification request verification module is provided to enable the computer 1 0 to receive 

22 information received by the communication control module from the network, and checks the 

23 information to verify that the information is a certification request. Each certification request has 

24 a predetermined format, and the certification request verification module verifies that each, for each 

25 unit of information that is of sufficient size to be a certification request, the format of the information 
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1 conforms to that for a certification request. In addition, the certification request format defines a 

2 plurality of fields, each having a certain type of data and allowed characters, and the certification 

3 request verification module verifies that information fields of each certification request contain the 

4 appropriate types of data and that they do not contain any characters that are not allowed for the 

5 respective fields.. 

6 The certification request display module is provided to enable the computer 10 to display 

7 certification requests that have been received by the communication control module firom the 

8 network and verified by the certification request verification module on its screen 1 4 of video display 

9 device 13. The certification request display module also enables the computer 1 0 to, for example, 

10 list the certification requests to, m turn, allow the administrator to select one of the certification 

1 1 requests for display. 

j| The certification request edit module is provided to enable the computer 10 to, in turn, allow 

13 the administrator to make changes to the information comprising the certification request before the 

14 certificate is generated. Changes may be for the purpose of, for example, correcting spelling errors, 

15 entering dates for which the generated certificate will be vaHd, and the like. The administrator may 
II enter the changes through any of the operator input devices 12, including keyboard 12A and mouse 
If 1 2B. As the administrator enters the changes, the certification request display module enables the 
i:| computer 10 to display the changes on the screen 14 of video display device 13. 

1 9 The certification request approval module is provided to enable the computer 1 0 to allow the 

20 administrator to approve or not approve a certification request. The administrator can indicate 

2 1 whether the certification request is to be approved by means of input provided through any of the 

22 operator input devices 12. For example, the certification request display module may enable the 

23 computer 10 to display "approved" and "not approved" pushbuttons ontiie screen 14 along with the 

24 certification request information, and, after the administi-ator has completed entering changes to the 

25 certification information, he or she may actuate one of the pushbuttons to, respectively, approve or 

26 not approve the certification request. If the administrator does not approve a certification request, 
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1 the certification request approval module enables the computer 10 to generate a message so 

2 indicating for transmission by the communication control module to the entity that issued the 

3 request. On the other hand, if the administrator does approve a certification request, the certification 

4 request approval module enables the computer 10 to generate the certificate, making use of the 

5 digital signature module. The certificate includes information fi:om the certification request, 

6 information regarding the certification authority, such as the identification of the certification 

7 authority, an identifier identifying the algorithm used by the digital signature module to generate the 

8 digital signature, and the certification authority's public key. 

9 The digital signature module is provided to enable the computer 10, under control of the 

10 certification request approval module, to generate a digital signature using the certification 
W authority's private key. 

11 The encrypted private key and a decryption module are provided to enable the computer 1 0 
ill to determine the certification autiiority's private key. The certification authority's private key is 
M encrypted using an encryption key that is based on a one-way hash of the administrator's 
■15 authenticating information. Accordingly, after the administrator has authenticated him or herself to 
ii® the authentication module, the decryption module can decrypt the certification authority's private key 
|| using a decryption key that is also based on the one-way hash of the authenticatmg information 
II provided by the administrator to the authentication module. 

1 9 Operations performed in connection with a certificate generation session will be described 

20 in connection with the flow chart depicted in FIG. 2. To initiate a certificate generation session in 

2 1 connection with the computer 1 0, the administrator will initially insert the removable medium into 

22 the appropriate receptacle on the computer 1 0 for facilitating reading of the medium by the computer 

23 (step 101) and reset the computer (step 102). This may be accomplished in a number of ways, 

24 including actuation of a control button provided therefor on the computer, turning the computer's 

25 power off and on, or by any other conventional mechanism as will be appreciated by those skilled 

26 in the art. 
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1 After the computer has been reset, the computer's boot loader begins booting from the 

2 removable medium, in the process completely removing from the computer any operating software 

3 that may initially be present on the computer and replacing it with the operating system from the 

4 removable medium (step 103). After the operating system has been loaded it can automatically 

5 enable the computer 10 to load and begin processing the authentication module (step 104). 

6 A Itematively, the operating system as loaded from the removable medium can enable the computer 

7 10 to display a command line, and the adminisfrator can use the command line to provide input, 

8 using the operator input devices such as keyboard 12A and/or mouse 12B, to enable the computer 

9 to load and begin processing the authentication module. Other arrangements faciUtating initiation 

1 0 of processing of the authentication module will be apparent to those skilled in the art. 

f j After the computer 10 begins processing the authentication module, the authentication 

(I module enables the computer 1 0 to display a log-on screen or prompt Hne on the screen 1 4 of video 

11 display device 1 3 (step 105). The administrator can then provide his or her identification indicia, 
11 which may include his or her name and/or other identifier, and authentication indicia, such as a 
IS password and the like, through the operator input devices, such as keyboard 12A and mouse 12B 
11 (step 106). Thereafter, the authentication module enables the computer to determine whether the 
jij authentication indicia conform to that provided earHer for the adminisfrator' identification 
il information (step 107). If the computer makes a negative determination in step 107, it may repeat 
II steps 106 and 107 for a predetermined number of times to allow the adminisfrator to provide the 

20 identification indicia and the correct authentication indicia (step 108). If the computer, while under 

21 control of the authentication module, determines that the adminisfrator is unable to provide the 

22 correct authentication indicia that conforms to the identification indicia during the predetermined 

23 number of additional trials (step 109), the authentication module may exit, aad not allow the 

24 administrator to continue the certificate generation session (step 1 1 0). In addition, the authentication 

25 module may enable the computer system 10 to erase critical portions of the removable medium, 

26 thereby ensuring that it cannot thereafter be used in connection with a computer to form a 

27 certification authority. 
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1 On the other hand, if the computer, while under control of the authentication module, makes 

2 a positive determination in step 107, or if it determines in step 109 that the administrator is able to 

3 provide the correct authentication indicia that conform to the identification indicia during at least one 

4 of the predetermined number of additional trials, the authentication module enables the computer 

5 to begin execution of the communication control module, the certification request verification 

6 module, the certification request edit module and the certification request approval module (step 

7 111). Initially, the conmiunication control module enables the computer to request retrieval of 

8 certification requests over the network through the network port 15 (step 1 12). The certification 

9 requests that are to be processed may be stored in, for example, individual files in a predetermined 

1 0 storage location in, for example, a server provided in the network. Alternatively, the communication 
a control module may enable the computer to display a dialog box identifying the server and source 
1;| location of the files containing the respective certification requests. 

til After the computer has received the files containing the certification requests under control 

kS of the communication control module, it (that is, the computer) processes the files under control of 

T5 the certification request verification module to verify that each contains a properly formatted 

1-fc certification request with no characters that are not allowed (step 113). This may be done in a 

|| "batch" manner, in which the files are processed all at once. In that case, the certification request 

if verification module can, for example, mark each file that contains a properly formatted certification 

11 request for later processing, and for others send notifications to the requesters indicating that the 

20 certification requests were rejected. Altematively, it may be done in a mode in which it processes 

21 each file containing a certification request when the administrator selects the file for fiirther 

22 processing. 

23 Following step 1 1 3 , the administrator makes use of the certification request display module 

24 to enable the computer 10 to display a list of certification requests that have been verified by the 

25 computer during processing under control of the certification request verification module (step 1 1 4) 

26 and selects one of the listed certification requests for processing (step 115). After the administrator 
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1 has selected one of the listed certification requests in step 115, the certification request display 

2 module enables the computer to display information from the certification request file (step 1 1 6) so 

3 that the administrator can correct the information as necessary. If the administrator wishes to correct 

4 the information, he or she will enter update information using the keyboard 12A or mouse 12B, and 

5 the certification request edit module will enable the update information to be displayed and stored 

6 in the certification request file (step 1 1 7). 

7 After the administrator is finished updating the certification request information and the 

8 information has been stored in the certification request file (reference step 1 17), the administrator 

9 can enable the certification request approval module to, in turn, enable the computer 1 0 to generate 

10 the certificate, if the certificate is to be approved, or notify the entity that requested the certificate 

11 that the certificate is to be rejected. In those operations, the administirator, using the keyboard 1 2A 
fl or mouse 12B, inputs indicia indicating either approval or rejection of the certificate (step 118). If 
ii the indicia indicate approval of the request, the certification request approval module is enabled to, 
M in turn, enable the computer to generate the certificate (step 1 1 9). In that operation, the certification 
15 request approval module formats the certification request information from the certification request 
j| file, as updated by the adminisfrator, as required for the certificate (step 120) and calls the digital 
ii signatiu-e module to generate a digital signature therefor from the information in the certificate and 
Si the private key (step 121). Ifthe private key has not been previously decrypted, tiie digital signature 

I: -.S 

II module can also enable the decryption module to decrypt the encrypted private key. After the 

20 certificate has been generated, the certification request approval module enables the communication 

21 contt-ol module to transfer the generated certificate to the entity that requested it or to another 

22 pubUcation location such as a directory service (step 122). 

23 Retimiing to step 118, ifthe administirator inputs indicia indicating rejection of the certificate, 

24 the certification request approval module generates a rej ection notice for ti-ansmission to the entity 

25 that requested the certificate, which may include information as to why the certificate was rejected 
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1 (step 1 23). Thereafter, the certification request approval module enables the communication control 

2 module to transfer the generated rej ection notice to the entity that requested the certificate (step 1 24). 

3 Following step 122 or 124, the certification request display module can enable the computer 

4 to remove the just-processed certification request from the hst displayed on the screen 14 (step 125). 

5 Thereafter, operations can return to step 1 1 5 to allow the administrator to select another certification 

6 request from the list, if any. 

7 The above-described operations can be repeated for all of the certification requests in the hst 

8 displayed on the screen 14 of video display device 13, or for any portion thereof as selected by the 

9 adminisfrator during the certificate generation session. It will be appreciated that the administrator 

I § can terminate the certificate generation session at any time, in which case unprocessed certification 

11 requests can be maintained on the computer 10, stored on the removable medium, or the like, for 

12 processing during a subsequent certificate generation session, or retrieved again from its source 
i§ location during a subsequent certificate generation session. 

in The invention provides a number of advantages. In particular, it provides a relatively 

II inexpensive certification authority arrangement for an organization, which provides that many 
|| computers can operate as certification authorities, avoiding the necessity of taking extraordinary 
}l;f security measures for the computer to be used as die certification authority, such as isolating the 
l-l computer from the organization's network and maintaining it in a secure locked room. The invention 

19 provides that 

20 (i) security of the certification authority be maintained by physical possession of the 

21 removable medium which includes all of the program modules to be used by the computer in 

22 connection with the certification authority, and 

23 (ii) electronic security be maintained by providing very limited communication capabilities 

24 for the computer, and specifically excludes any capability that would allow remote control of 

25 resources of the computer being used as the certification authority. 
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1 Since the invention can be used with any computer whose boot loader is configured to initially 

2 completely replace any operating software that the computer may have resident thereon with the 

3 operating system from the removable medium, the invention provides for extensive flexibility for 

4 the certification authority. 

5 It will be appreciated that a number of modifications may be made to the arrangement as 

6 described above. For example, although the arrangement has been described as including a 

7 communication control module for controlling limited communications over a network, it will be 

8 appreciated that an arrangement may be provided that does not include a communication contiol 

9 module. In that case, the administi-ator may download the certification request files to a mass storage 

1 0 subsystem on the computer, or on the removable medium, prior to the certificate generation session, 
\i and the certification request files may be retrieved therefrom during the session. In addition, the 
j| issued certificates or rejections can be buffered on the hard disk during the session, and transmitted 
13 after the session has ended. 

11 The computer that is used as the certification authority can be any kind of computer, 
!5 including, for example, any personal computer, workstation, laptop, palm-top or the like. The 
ii computer must be dedicated to the certification authority fixnction while it is being used as a 
iS certification authority during a certificate generation session, but it can be used for other operations 
j| at other times. In addition, although the computer has been described as providing a GUI for the 

19 operator, it will be appreciated that the computer may instead or in addition provide a command line 

20 interface. 

21 It may be advantageous to have some portion of the arrangement that is described above as 

22 being stored on the removable medium, stored on a separate medium. For example, one or more of 

23 the digital signature module, encrypted private key and decryption module can be stored on a Smart 

24 Card or iButton, and a separate authentication may be required for that. Furthermore, the two (that 

25 is, the removable medium storing the other modules, and the Smart Card or iButton storing the 

26 digital signature module, encrypted private key and/or the decryption module) may be linked, so that 
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1 the one may not be used without a specific other. In that case, even if one of them is lost or the 

2 security otherwise compromised, they cannot be used in combination with another 

3 SmartCard/iButton or removable medium, respectively. The Smart Card or iButton can be provided 

4 with disabling software so that, if a predetermined number of authentication attempts are 

5 unsuccessful, the device will be disabled. 

6 histead of using a removable medium, some or a significant portion of the modules can be 

7 stored on a programmable read-only memory ("PROM") comprising part of the computer, which 

8 may form part of, for example, the boot loader or other component, hi that case, one or more of the 

9 digital signature module, encrypted private key and decryption module can be stored on a Smart 

10 Card or iButton, and a separate authentication may be required for that, as described above. 

I J It will be appreciated that a system m accordance with the invention can be constructed in 

11 whole or in part jfrom special purpose hardware or a general purpose computer system, or any 
m combination thereof, any portion of which may be controlled by a suitable program. Any program 
i I may in whole or in part comprise part of or be stored on the system in a conventional manner, or it 
15 may in whole or in part be provided to the system over a network or other mechanism for 
IS transferring information in a conventional manner. In addition, it will be appreciated that the system 
II may be operated and/or otherwise controlled by means of information provided by an operator using 
11 operator input elements (not shown) that may be connected directly to the system or that may 

19 transfer the information to the system over a network or other mechanism for transferring 

20 information in a conventional manner. 

2 1 The foregoing description has been hmited to a specific embodiment of this invention. It will 

22 be apparent, however, that various variations and modifications may be made to the invention, with 

23 the attainment of some or all of the advantages of the mvention. It is the object of the appended 

24 claims to cover these and such other variations and modifications as come within the true spirit and 

25 scope of the invention. 
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What is claimed as new and desired to be secured by Letters Patent of the United States is: 
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Claims 

1 1 . A certification authority for generating certificates in response to respective certification requests, 

2 the certification authority comprising: 

3 A. a computer that is bootable from a removable medium; and 

4 B. a removable medium comprising a machine readable medium having encoded thereon: 

5 i. an operating system module configured to enable the computer to boot from the 

6 removable medium; and 

C J ii. a certificate generation module configured to, after the computer has been booted, 

f I control the computer to facilitate the generation of at least one certificate in response 

to an associated certificate request, the certification authority module being 

II configured to provide that the computer not be remotely controlled during a 

1;1 certificate generation session. 

C:i 2. A certification authority as defined in claim 1 in which said certification authority operates under 

ri control of an operator, the certificate generation module enablmg the computer to display certificate 

3 request information associated with the certificate request to tiie operator and receive operator input 

4 information from an operator, the certificate generation module enabling the computer to use the 

5 input information from the operator in generating the at least one certificate. 

1 3. A certification authority as defined in claim 2 in which the operator input information includes 

2 operator authentication information, the certification generation module including an authentication 
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3 module configured to enable the computer to receive the operator authentication information and 

4 verify that the operator is authorized to control the certification authority. 

1 4. A certification authority as defined in claim 3 in which the certificate includes an digital signature 

2 comprising a signature that is generated using private encryption key, the certificate generation 

3 module including 

4 A. an encrypted private key; 

5 B. a decryption module configured to enable the computer to use the operator authentication 
H information to decrypt the encrypted private key thereby to obtain a private key; and 

3 C. a digital signature module configured to enable the computer to generate a digital signature 
l^i from information in the at least one certificate using the private key. 

Jl 5. A certification authority as defined in claim 2 in which the certificate generation module further 

1^2 enables the operator to receive operator input information relating to information in the certificate 

f I request, the certificate generation module further including: 

4 A. a certification request information display module configured to enable the computer to 

5 display certification information to the operator; and 

6 B . a certification request edit module configured to enable the computer to receive cert request 

7 modification information from the operator and update information in the certificate request 

8 in response thereto. 
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1 6. A certification authority as defined in claim 2 in which the certificate generation module further 

2 includes a certification request approval module configured enable the computer to receive operator 

3 input information comprising a certificate request approval and generate the certificate request in 

4 response thereto. 

1 7. A certification authority as defmed in claim 1 in which information in a certification request is in 

2 a predetermined format, the certificate generation module fiirther including a certification request 

3 verification module configured to enable said computer to determine whether the information in the 

4 at least one certification request is in the predetermined format. 

CI 8. A certification authority as defined in claim 1 in which the computer is connected to retiieve 

ri certification requests fi-om a remote storage location, the certificate generation module fiirther 

^'11 including a communication control module configured to enable the computer to retiieve 

=4 certification requests fi-om the remote storage location. 

!:} 9. A computer program product for use in connection with a computer to form a certification 

2 authority for generating certificates in response to respective certification requests, the computer 

3 being bootable from a removable medium, the computer program product comprising a removable 

4 medium in the form of a machine readable medium having encoded thereon: 

5 A. an operating system module configured to enable the computer to boot from the removable 

6 medium; and 

7 B. a certificate generation module configured to, after the computer has been booted, conti-ol 

8 the computer to facilitate the generation of at least one certificate in response to an associated 
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9 certificate request, the certification authority module being configured to provide that the 

1 0 computer not be remotely controlled during a certificate generation session. 

1 1 0. A computer program product as defined in claim 9 in which said certification authority operates 

2 under control of an operator, the certificate generation module enabling the computer to display 

3 certification request information associated with the certification request to the operator and receive 

4 operator input information firom an operator, the certificate generation module enabling the computer 

5 to use the input information from the operator in generating the at least one certificate. 

11 1 1 . A computer program product as defined in claim 10 in which the operator input information 
Ci includes operator authentication information, the certificate generation module including an 
f 3 authentication module configured to enable the computer to receive the operator authentication 
% information and verify that the operator is authorized to conti-ol the certification authority. 

i| 1 2. A computer program product as defined in claim 1 1 in which the certificate includes a signatiu-e 

!| comprismg a signature that is encrypted using a private encryption key, the certificate generation 

3 module including 

4 A. an encrypted private key; 

5 B. a decryption module configured to enable the computer to use the operator authentication 

6 information to decrypt the encrypted private key thereby to obtain a private key; and 

7 C. a digital signature module configured to enable the computer to generate a digital signature 

8 from information in the at least one certificate and encrypt the digital signature usmg the 

9 private key. 
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1 1 3. A computer program product as defined in claim 1 0 in which the certificate generation module 

2 fiirther enables the operator to receive operator input information relating to information in the 

3 certification request, the certificate generation module fiarther including: 

4 A. a certification request information display module configured to enable the computer to 

5 display certification information to the operator; and 

6 B . a certification request edit module configured to enable the computer to receive certification 

7 request modification information from the operator and update information in the 

8 certification request in response thereto. 

C| 14. A computer program product as defined in claim 10 in which the certificate generation module 

f i further includes a certification request approval module configured enable the computer to receive 

^3 operator input information comprising a certification request approval and generate the certificate 

\ A in response thereto. 



^ 4 1 5 , A computer program product as defined in claim 9 in which information in a certification request 

2 is in a predetermined format, the certificate generation module fiirther including a certification 

3 request verification module configured to enable said computer to determine whether the information 

4 in the at least one certification request is in the predetermined format. 

1 1 6 , A computer program product as defined in claim 9 in which the computer is connected to retrieve 

2 certification requests from a remote storage location, the certificate generation module fiirther 
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including a communication control module configured to enable the computer to retrieve 
certification requests fi-om the remote storage location. 
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A certification authority generates certificates in response to respective certification requests. 
The certification authority generally includes a computer that is bootable fi*om a removable medium 
and a removable medium. The removable medium includes a machine readable medium having 
encoded thereon an operating system module configured to enable the computer to boot fi"om the 
removable medium and a certificate generation module configured to, after the computer has been 
booted, control the computer to facilitate the generation of at least one certificate in response to an 
associated certificate request, the certification authority module being configured to provide that the 
computer not be remotely controlled during a certificate generation session. 
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101. ADMINISTRATOR INSERTS THE REMOVABLE MEDIUM! 
INTO THE APPROPRIATE RECEPTACLE ON THE 
COMPUTER FOR FACILITATING READING OF THE 
MEDIUM BY THE COMPUTER 



102. ADMINISTRATOR RESETS THE COMPUTER 



/f03. COMPUTER'S BOOT LOADER BEGINS BOOTING 
FROM THE REMOVABLE MEDIUM, IN THE PROCESS 
COMPLETELY REMOVING FROM THE COMPUTER ANY 
OPERATING SOFTWARE THAT MAY INITIALLY BE 
PRESENT ON THE COMPUTER AND REPLACING IT WITH 
THE OPERATING SYSTEM FROM THE REMOVABLE 
MEDIUM 



'l 04. OPERATING SYSTEM AUTOMATICALLY ENABLES 
THE COMPUTER TO LOAD AND BEGIN PROCESSING THE 
AUTHENTICATION MODULE 




r 


105. AUTHENTICATION MODI 
COMPUTER TO DISPLAY A L( 
SCREEN OF VIDEO DISPLAY 


ILE ENABLES THE 
3G-0N SCREEN ON THE 
DEVICE 



J 



0 



FIG. 2 




FIG.2A 



^YES- 



^YES_ 



106. ADMINISTRATOR PROVIDES HIS OR HER 
IDENTIFICATION INDICIA AND AUTHENTICATION INDICIA 



] 



/107. AUTHENTICATION MODULE ENABLES THE 
COMPUTER TO DETERMINE WHETHER THE 
AUTHENTICATION INDICIA CONFORM TO THAT PROVIDED | 
EARLIER FOR THE ADMINISTRATOR' IDENTIFICATION 
INFORMATION 



NO 

1 



108. COMPUTER REPEATS STEPS 106 AND 107 FOR A 
PREDETERMINED NUMBER OF TIMES TO ALLOW THE 
ADMINISTRATOR TO PROVIDE THE IDENTIFICATION 
INDICIA AND THE CORRECT AUTHENTICATION INDICIA 



109. COMPUTER DETERMINES WHETHER THE 
ADMINISTRATOR IS ABLE TO PROVIDE THE CORRECT 
AUTHENTICATION INDICIA WHICH CONFORMS TO THE 
IDENTIFICATION INDICIA DURING THE PREDETERMINED 
NUMBER OF ADDITIONAL TRIALS 



NO 



110. AUTHENTICATION MODULE EXITS AND DOES NOT 
ALLOW THE ADMINISTRATOR TO CONTINUE THE 
CERTIFICATE GENERATION SESSION 




FiaiB 



111. AUTHENTICATION MODULE ENABLES THE 
COA/IPUTER TO BEGIN EXECUTION OF THE 
COMMUNICATION CONTROL MODULE, THE 
CERTIFICATION REQUEST VERIFICATION MODULE, THE 
CERTIFICATION REQUEST EDIT MODULE AND THE 
CERTIFICATION REQUEST APPROVAL MODULE 



112. COMMUNICATION CONTROL MODULE ENABLES THE 
COMPUTER TO REQUEST RETRIEVAL OF CERTIFICATION 
REQUESTS OVER THE NETWORK 



I 



] 



^13. COMPUTER PROCESSES THE FILES UNDER 
CONTROL OF THE CERTIFICATION REQUEST 
VERIFICATION MODULE TO VERIFY THAT EACH 
CONTAINS A PROPERLY FORMATTED CERTIFICATION 
REQUEST WITH NO CHARACTERS THAT ARE NOT 
ALLOWED 



114. ADMINISTRATOR MAKES USE OF THE 
CERTIFICATION REQUEST DISPLAY MODULE TO ENABLE 
THE COMPUTER TO DISPLAY A LIST OF CERTIFICATION 
REQUESTS THAT HAVE BEEN VERIFIED BY THE 
COMPUTER DURING PROCESSING UNDER CONTROL OF 
THE CERTIFICATION REQUEST VERIFICATION MODULE 



115. ADMINISTRATOR SELECTS ONE OF THE LISTED 
CERTIFICATION REQUESTS FOR PROCESSING 




} 



c 



FIG. 2C 



116. CERTIFICATION REQUEST DISPLAY MODULE 
ENABLES THE COMPUTER TO DISPLAY INFORMATION 
FROM THE CERTIFICATION REQUEST FILE 



] 



REJECTION 



1l7. CERTIFICATION REQUEST EDIT MODULE ENABLES ^ 
UPDATE INFORMATION PROVIDED BY ADMINISTRATOR 
TO BE DISPLAYED AND STORED IN THE CERTIFICATION 
REQUEST FILE 




r 


118. ADMINISTRATOR INPUTS INDICIA INDICATING 
EITHER APPROVAL OR REJECTION OF THE CERTIFICATE 


APPR 


3VAL 

r 


APPROVAL//119. CERTIFICATION REQUEST APPROVAL 
MODULE IS ENABLED TO, IN TURN, ENABLE THE 
COMPUTER TO GENERATE THE CERTIFICATE 




r 



FORMATS THE CERTIFICATION REQUEST INFORMATION 
FROM THE CERTIFICATION REQUEST FILE, AS UPDATED 
BY THE ADMINISTRATOR, AS REQUIRED FOR THE 
CERTIFICATE 



FiaiD 



f\2\. CERTIFICATION REQUEST APPROVAL MODULE 
CALLS THE DIGITAL SIGNATURE MODULE TO GENERATE 
A DIGITAL SIGNATURE THEREFOR, FROM THE 
INFORMATION IN THE CERTIFICATE AND THE PRIVATE 
KEY 



A22. CERTIFICATION REQUEST APPROVAL MODULE 
ENABLES THE COMMUNICATION CONTROL MODULE TO 
TRANSFER THE GENERATED CERTIFICATE TO THE 
ENTITY THAT REQUESTED IT OR TO A STANDARD 
DISTRIBUTION POINT SUCH AS A DIRECTORY SERVICE 



(^23. CERTIFICATION REQUEST APPROVAL MODULE 
GENERATES A REJECTION NOTICE FOR TRANSMISSION 
TO THE ENTITY THAT REQUESTED THE CERTIFICATE, 
WHICH MAY INCLUDE INFORMATION AS TO WHY THE 
CERTIFICATE WAS REJECTED 



124. CERTIFICATION REQUEST APPROVAL MODULE 
ENABLES THE COMMUNICATION CONTROL MODULE TO 
TRANSFER THE GENERATED REJECTION NOTICE TO THE 
ENTITY THAT REQUESTED THE CERTIFICATE 



125. CERTIFICATION REQUEST DISPLAY MODULE 
ENABLES THE COMPUTER TO REMOVE THE 
JUST-PROCESSED CERTIFICATION REQUEST FROM THE 
LIST DISPLAYED ON THE SCREEN 14 
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